Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security policy #26204

Merged
merged 1 commit into from
Jun 8, 2023
Merged

Add security policy #26204

merged 1 commit into from
Jun 8, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Jun 6, 2023

Fixes: #26205

Description

Anyone who's found a vulnerability in three.js (i.e. denial-of-service) has no clear way of privately reporting it. This PR adds a security policy that tells users how to report vulnerabilities responsibly.

The current version of the policy suggests users either send an email (to an address found in the Code of Conduct) or use GitHub's private reporting tool. If you'd rather choose just one, change the email (if you'd rather use another with a smaller or different subset of maintainers) or anything else, let me know and I'll patch the PR!

This contribution is funded by Google.

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@LeviPesin
Copy link
Contributor

Could you please explain what could be a security vulnerability in Three.js? What attack scenario could use it?

@pnacht
Copy link
Contributor Author

pnacht commented Jun 6, 2023

I mentioned DoS attacks above, but given three.js is client-side, the more reasonable attack would likely be something that causes three.js to hang and consume all memory when given what should be acceptable inputs, crashing the entire site for the user.

Another threat would be a malicious import to run a crypto miner every time three.js loads.

@donmccurdy
Copy link
Collaborator

donmccurdy commented Jun 6, 2023

I agree that a security policy is a fair thing to ask. Another example could be discovering a vulnerability in one of our model loaders, allowing maliciously-crafted 3D models to execute code on a website that allows user-generated model uploads. The risk is dramatically worse if the user is logged in to that website, because the executable code runs within the user's authenticated session, and could make network requests.

Whether we are comfortable handling security disclosures as documented in the PR, I will leave others to decide.

Related discussion on Stack Overflow: https://stackoverflow.com/a/76415718/1314762.

@mrdoob mrdoob added this to the r154 milestone Jun 8, 2023
@mrdoob mrdoob merged commit b2f7499 into mrdoob:dev Jun 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add a security policy
4 participants